Re: [OAUTH-WG] draft-ietf-tls-oob-pubkey: My summary
"Manger, James H" <James.H.Manger@team.telstra.com> Thu, 12 July 2012 15:39 UTC
Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FD2F11E80BC for <oauth@ietfa.amsl.com>; Thu, 12 Jul 2012 08:39:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.958
X-Spam-Level:
X-Spam-Status: No, score=-0.958 tagged_above=-999 required=5 tests=[AWL=-0.057, BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZOm7les6w3yl for <oauth@ietfa.amsl.com>; Thu, 12 Jul 2012 08:39:52 -0700 (PDT)
Received: from ipxcno.tcif.telstra.com.au (ipxcno.tcif.telstra.com.au [203.35.82.208]) by ietfa.amsl.com (Postfix) with ESMTP id 60B9F11E8098 for <oauth@ietf.org>; Thu, 12 Jul 2012 08:39:50 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.77,575,1336312800"; d="scan'208";a="80841234"
Received: from unknown (HELO ipccni.tcif.telstra.com.au) ([10.97.216.208]) by ipocni.tcif.telstra.com.au with ESMTP; 13 Jul 2012 01:40:21 +1000
X-IronPort-AV: E=McAfee;i="5400,1158,6769"; a="76468336"
Received: from wsmsg3701.srv.dir.telstra.com ([172.49.40.169]) by ipccni.tcif.telstra.com.au with ESMTP; 13 Jul 2012 01:40:20 +1000
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3701.srv.dir.telstra.com ([172.49.40.169]) with mapi; Fri, 13 Jul 2012 01:40:20 +1000
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Date: Fri, 13 Jul 2012 01:40:18 +1000
Thread-Topic: [OAUTH-WG] draft-ietf-tls-oob-pubkey: My summary
Thread-Index: Ac1gA6rgdKoYPtxlRWCzkT7lZ+icVwAP5p9g
Message-ID: <255B9BB34FB7D647A506DC292726F6E114F7AB4406@WSMSG3153V.srv.dir.telstra.com>
References: <213AE838-274D-4809-B841-CCCC51C7B3CD@gmx.net>
In-Reply-To: <213AE838-274D-4809-B841-CCCC51C7B3CD@gmx.net>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-tls-oob-pubkey: My summary
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jul 2012 15:39:53 -0000
> III) Hybrid Scenario (the OAuth Holder-of-the-Key Use case) > > client_hello, > cert-receive=(X.509, Raw) // (1) > cert-send=(Raw) -> // (2) > > <- server_hello, > cert-info=(X.509),// (3) > certificate, // (4) > certificate_request, // (5) > cert-receive=(Raw) // (6) > server_key_exchange, > server_hello_done > > cert-info=(Raw), // (7) > certificate, // (8) > client_key_exchange, > change_cipher_spec, > finished -> > > <- change_cipher_spec, > finished > > Application Data <-------> Application Data > > Legend: > > (1) Client accepts to receive X.509 certs and raw public keys, in this > order of preference. (Could also be X.509 only in this example) > (2) The client does have a raw public key for client authentication. > (3) The server decides to sends his X.509 cert and indicates this in > the cert-info field. > (4) The certificate payload contains the X.509 cert. > (5) The server wants to use client authentication and sends a cert- > request. > (6) The certificate request asks for a certificate of type 'raw' > (knowing that the client supports it from (2)). > (7) The client indicates that the certificate payload contains a raw > public key. > (8) Here is the payload of the certificate itself. So the OAuth client completes a TLS handshake with a protected resource using a raw key, but the protected resource doesn't get any authorization for that raw key until it sees an access_token which appear where? In an HTTP header somewhere in the App Data some time after the TLS handshake finishes? -- James Manger
- Re: [OAUTH-WG] draft-ietf-tls-oob-pubkey: My summ… Hannes Tschofenig
- [OAUTH-WG] draft-ietf-tls-oob-pubkey: My summary Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-tls-oob-pubkey: My summ… Manger, James H
- Re: [OAUTH-WG] draft-ietf-tls-oob-pubkey: My summ… John Bradley
- Re: [OAUTH-WG] draft-ietf-tls-oob-pubkey: My summ… Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-tls-oob-pubkey: My summ… John Bradley
- Re: [OAUTH-WG] draft-ietf-tls-oob-pubkey: My summ… Phil Hunt
- Re: [OAUTH-WG] draft-ietf-tls-oob-pubkey: My summ… John Bradley